W32.Kradellsh
W32.Kradellsh is a computer worm that will propagate by creating a copy of itself on removable drives. W32.Kradellsh will be able to hide itself from anti-virus application by using a rootkit technique. Once on the system, this worm will modify Windows registry and create its own entries.
Technical Information:
Damage Level: Medium
Systems Affected: Windows 9x, 2000, XP, Vista, Windows 7
Manual Removal of W32.Kradellsh:
1. Temporarily Disable System Restore (Windows Me/XP/Vista/7) . [how to]
2. Update the virus definitions.
3. Restart Windows in SafeMode [how to]
4. Run a full system scan and clean/delete all infected file(s)
5. Delete/Modify any values added to the registry. [how to edit registry]
6. Exit registry editor and restart Windows.
Online Virus Scanner:
Another way to remove a virus without the need to install additional anti-virus application is to perform a thorough scan with free Online Virus Scanner that can be found here or on websites of legitimate anti-virus and security provider.
Technical Details and Additional Information:
Malicious Files Added by W32.Kradellsh:
%System%\drivers\beep.sys
%DriveLetter%\setup.exe
%System%\regedit32.exe
%System%\regedit325516.exe
%System%\regedut32.exe
%System%\Msierit32.exe
%System%\domain.exe
Associated Windows Registry Entries:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_BACKGROUND_SWITCH\”NextInstance” = “1″
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_BACKGROUND_SWITCH\0000\”Class” = “LegacyDriver”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_BACKGROUND_SWITCH\0000\”ClassGUID” = “{8ECC055D-047F-11D1-A537-0000F8753ED1}”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_BACKGROUND_SWITCH\0000\”ConfigFlags” = “0″
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_BACKGROUND_SWITCH\0000\”DeviceDesc” = “[VARIES]”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_BACKGROUND_SWITCH\0000\”Legacy” = “1″
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_BACKGROUND_SWITCH\0000\”Service” = “[VARIES]”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BackGround switch\”DisplayName” = “[VARIES]”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BackGround switch\”ErrorControl” = “0″
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BackGround switch\”ImagePath” = “[COPIED FILE NAME]”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BackGround switch\”ObjectName” = “LocalSystem”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BackGround switch\”Start” = “2″
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BackGround switch\”Type” = “272″
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BackGround switch\Security\”Security” = “[BINARY DATA]“